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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 
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I )S Responsive to communication(s) filed on 01 August 2007 (Amendment) . 
2a)E3 This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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6M Claim(s) 1, 2. 4-6, 8-15. 18-22, 24 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)D The drawing(s) filed on _J is/are: a)Q accepted or b)0 objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

II )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 
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a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 
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DETAILED ACTION 

1 . Applicant's amendment filed on Aug. 01 , 2007 has been entered. Claims 1,2,4- 
6, 8-15, 18-22, 24 are pending. Claims 1, 5, 13 and 24 are amended by the applicant. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(aj A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1, 2, 4-6, 8-15, 18-22, 24 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Brandow et al (US Patent No. 6,938,041) in view of Reshef et al (US 
Patent No. 6,584,569) and in view of Wagner (US Patent No. 6,085,224). 

As per claim 1 , Brandow teaches: 

said message that including the information entered for constructing a query to access 
data of the server that includes information entered by a user into a web page provided 
by the server directly incorporated therein [Fig. 2, 6A, 6B, 7B-10A]. 
Reshef teaches: 

analyzing the messages that flow between a client. browser and a server hosting the 
web application, intercepting said message before any content of said message is 
processed by said server [Fig. 2A, 2C, col. 5 lines 1-4]. Further, Reshef teaches: 
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examining said message to determine if it contains one or more unauthorized elements 
[Fig. 2A, 2C, col. 7 lines 18-67, col. 8 lines 1-12, col. 9 lines 32-51], the examining 
comprising: receiving an identification of an execution program set to be used to 
process said message received [col. 9 lines 60-67, col. 10 table 1]; retrieving an 
identification of all message types associated with said execution program set; 
examining said message received by said server in relation to said message types 
associated with said execution program set [col. 10 table 1, lines 26-61]. 
Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Reshef with Brandow, since one would have been 
motivated to detect vulnerabilities or security flows in a web application [Reshef, col. 2 
lines 18-20]. 
Wagner teaches: 

determining if said message received by said server contains an unauthorized element 
in relation to the corresponding message type for said message received; if it is 
determined that said message contains an unauthorized element preventing said 
message received from being processed by said server; if it is determined that said 
message does not contain an unauthorized element allowing said message received to 
be processed by said server [Fig. 1, col. 7 lines 44, col. 15 lines 42-67, col. 16. lines 1- 
42]. 

Therefore, it would have been obvious to a person of ordinary skill in the art at the time 
the invention was made to combine Wagner with Brandow and Reshef, since one would 
have been motivated to restrict access to resources or data on a computer system 
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when the computer is in communication with another computer [Wagner, col. 4 lines 7- 
9]. 

As per claim 2 , the rejection of claim 1 is incorporated and Wagner teaches if it is 
determined that said message received contains an unauthorized element, preventing 
said message received from being processed by said server, and causing an error 
notification to be sent to said user [col. 4 lines 62-67, col. 16 lines 34-47]. 

As per claim 4 , the rejection of claim 1 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 2 above. 

As per claim 5 , it encompasses limitations that are similar to limitations of claim 1 . Thus, 
it is rejected with the same rationale applied against claim 1 above. 

As per claim 6 , the rejection of claim 5 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 2 above. 

As per claim 8 , the rejection of claim 5 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 2 above. 

As per claim 9 , the rejection of claim 8 is incorporated and further Wagner teaches: 
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if it is determined that said message received does not contain an unauthorized 
element, allowing said message received to be processed by said serve [Fig. 1, 5, 6]. 

As per claim 10 , the rejection of claim 1 is incorporated and Wagner teaches the 
message comprising a name value pair [col. 15 lines 51-62, Fig. 3]. 

As per claim 11 , the rejection of claim 1 is incorporated and Wagner teaches said 
element comprises one or more of the following items: an instruction, a command, a 
character, a parameter, a token, or a string of any of said previous items [col. 15 lines 
51-62, Fig. 3]. 

As per claim 12 , the rejection of claim 11 is incorporated and further Wagner teaches: 
said element is interpretable as an instruction or command by said server [col. 15 lines 
51-62, Fig. 3]. 

As per claim 13 , it is an apparatus claim corresponds to a method claim 1 and is 
rejected for the same reason set forth in the rejection of claim 1 above. 

As per claim 14 , the rejection of claim 13 is incorporated and Reshef teaches: 

network server comprises an Internet network server and said message is received over 

the Internet by said server from a user [Fig. 2C]. 
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As per claim 15 , the rejection of claim 13 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 2 above. 

As per claims 18 and 19 , the rejection of claims 13 and 18 are incorporated and are 
rejected for the same reason set forth in the rejection of claims 10 and 1 1 above. 

As per claim 20 , the rejection of claim 19 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 12 above. 

As per claim 21 , the rejection of claim 1 is incorporated and Reshef teaches: 
the message types are chosen from the group consisting of: single token; string; 
multiple tokens without keywords: OR, UNION and SEMI-COLON; multiple tokens 
without keywords: UNION and SEMI-COLON; multiple tokens without keywords: SEMI- 
COLON; and multiple tokens without restriction [col. 9 lines 40-45, col. 10 table 1]. 

As per claim 22 , the rejection of claim 5 is incorporated and is rejected for the same 
reason set forth in the rejection of claim 21 above. 

As per claim 24 , the rejection of claim 1 is incorporated and Brandow teaches the query 
is a database query that includes an entirety of the information entered by the user into 
a field of the web page [Fig. 2, 6A, 6B, 7B-10A]. 
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Response to Amendment 

3. Applicant has amended claims 1, 5, 13 and 24, which necessitated new ground 
of rejection. See rejection above. 

Conclusion 

4. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not - 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Nirav Patel whose telephone number is 571- 
272-5936. If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on 571-272-3859. The fax and phone 
numbers for the organization where this application or proceeding is assigned is 571- 
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273-8300. Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is 571-272- 
2100. /I 



NBP 

10/13/07 
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